1. Field of the Invention
Embodiments of the present invention relate to methods and systems for detecting hypertext transport protocol attacks and hypertext transport protocol intrusion detection evasions from packets observed on a network. More particularly, embodiments of the present invention relate to systems and methods for associating a Web server hypertext transport protocol intrusion detection policy with a network device, decoding universal resource identifiers from network packets based on the Web server hypertext transport protocol intrusion detection policy, and decoding obfuscations within the universal resource identifiers based on the Web server hypertext transport protocol intrusion detection policy.
2. Background Information
A typical intrusion detection system (IDS) reads a network packet, decomposes the packet into one or more application protocols, and compares stored patterns known to constitute network or computer attacks to the data contained in the one or more application protocols. Usually, the stored patterns are character strings, which are directly compared to the characters of the protocol data.
Hypertext transport protocol (HTTP) is an application protocol that IDSs must examine. HTTP is used primarily to communicate between Web clients and Web servers. Encoding schemes are used extensively in HTTP. These encoding schemes convert character representations from one form to another. These encoding schemes are used for many different reasons. Some encoding schemes are used to distinguish certain characters of special meaning in HTTP. Others are used to reduce the amount of traffic sent between Web clients and Web servers. In addition, not all of the encoding schemes used in HTTP communication are standardized. For example, an encoding scheme may be unique to a particular Web server developed by a particular vendor.
As a result, the encoding schemes used in HTTP present a significant problem for an IDS. The IDS cannot simply compare its patterns directly to the HTTP data. If the IDS does, an attacker can avoid detection by using an HTTP encoding scheme to hide all or a portion of the menacing pattern. Using an HTTP encoding scheme to hide a menacing pattern is called an HTTP IDS evasion.
HTTP IDS evasions have been popular since a web scanner, called whisker, was first released to the public. Many of the original HTTP IDS evasions were contained in that first release of whisker. These evasions included using multiple slashes to obfuscate directories and inserting “HTTP/1.0” in the universal resource locator (URL) to evade an algorithm that an IDS might use to find the URL in a packet.
In addition to the evasions that whisker presented, there were other types of HTTP obfuscations that were propagated. One evasion was obfuscating a URL. This evasion was accomplished by using an absolute URL instead of a relative URL. While these other types of evasions were important, they were not as evasive or popular as the basic whisker scans.
Another popular evasion came about with the public release of an eight bit Unicode transformation format (UTF-8) encoding exploit for the Microsof™ Internet Information Services (IIS) Web server. In addition to being a vulnerability for IIS, this encoding exploit also presented an encoding method for URLs in a way that had not been implemented in IDSs. Up until this exploit, most IDSs had instituted safeguards against the previous whisker evasions of ASCII encoding and directory traversal, but did not protect against UTF-8 encoding of Unicode code points.
Other types of HTTP IDS evasions have utilized HTTP protocol properties. One of these evasions used the property of request pipelining. Another evasion used the content-encoding header to encode HTTP request parameters in a request payload.
In view of the foregoing, it can be appreciated that a substantial need exists for systems and methods that can advantageously allow IDSs to identify HTTP IDS evasions that utilize HTTP encoding schemes or HTTP protocol parameters.